Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

FormBook info-stealing malware has been part of two recent distribution campaigns and is being sold on the Dark Web for as little as $29 a week.

Attackers spreading new malware called FormBook are singling out aerospace firms, defense contractors and some manufacturing organizations in the United States and South Korea.

According to researchers at FireEye, FormBook was spotted in several high-volume distribution campaigns targeting the U.S. with email containing malicious PDF, DOC or XLS attachments. FormBook targets in South Korea are being pelted with email containing malicious archive files (ZIP, RAR, ACE, and ISOs) with executable payloads.

FormBook is a type of data-stealing malware used in espionage and is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions. Once installed, the malware can also execute commands from a command-and-control (C2) server such as instructing the malware to download more files, start processes, shutdown and reboot a system and steal cookies and local passwords, according to a FireEye report co-authored by Nart Villeneuve, Randi Eitzman, Sandor Nemes and Tyler Dean.

“One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective,” according to the FireEye report.

In one scenario described by FireEye, the FormBook payload is delivered via a self-extracting RAR file that when launched starts an AutoIt loader that in turn compiles and runs an AutoIt script. The script decrypts the FormBook payload file, loads it into memory, and then executes it, researchers said.

“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of varying skill levels,” researchers noted.

FormBook has been sold in underground hacking forums since July for $29 a week to a $299 full-package “pro” deal, researchers said. Under the malware author’s terms, customers pay for access to a panel and then the malware author generates the executable files as a service.

As for the backend infrastructure, FormBook’s C2 domains are less widespread and typically newer generic top-level domains (.site, .website, .tech, .online, and .info). “The server infrastructure is hosted on BlazingFast.io, a Ukrainian hosting provider. Each server typically has multiple FormBook panel installation locations, which could be indicative of an affiliate model,” according to FireEye.

The malware installs different function hooks depending on the process targeted. Some of the processes include iexplore.exe, firefox.exe, chrome.exe, MicrosoftEdgeCP.exe and explorer.exe. Over 32 processes are targeted. “After injecting into any of the target processes, it sets up user-mode API hooks based on the process,” FireEye said.

It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence, said researchers.

FireEye detected two distinct email campaigns between Aug. 11 and Aug. 22 and additional campaign between July 18 and Aug. 17. In one PDF campaign hackers leveraged FedEx and DHL shipping and package delivery themes.

“In the last few weeks, FormBook was seen downloading other malware families such as NanoCore,” researchers said. “The credentials and other data harvested by successful FormBook infections could be used for additional cybercrime activities including, but not limited to: identity theft, continued phishing operations, bank fraud and extortion.”

The Darkhotel APT gang has extended its geographic reach to victims in a host of additional countries, and has added to its cache of zero days with its use of a HackingTeam exploit for a Flash zero-day vulnerability.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.